l s

rt o
o n rvice
l c n t se
naeme
r na g
e
t a
Inrisk m
 Learning goals
• Defining Internal Control & Understanding the Internal Control
Framework
• GAO’s Standards for Internal Control in the Federal Government
• OMB Uniform Grant Guidance—requirements for internal controls
• ED’s A123 Internal Control Review Process
• Internal Controls and YOU
• Implementing Strong Internal Controls in Your Agency
• Consequences of Not having Strong Internal Controls-Avoiding the
Pitfalls
• Case Study
• Case Study Discussion & Analysis
• Conclusion/Wrap Up
• Questions
 Defining internal control
• Internal Control: a process effected by an entity’s oversight body,
management and/or other personnel that provides reasonable assurance
that the objectives of an entity will be achieved. These objectives and
related risks can be classified into one or more categories:
• 1. Operations: effectiveness and efficiency of operations and safeguarding
of assets necessary to carry out operations.
• 2. Reporting: reliable reporting for both internal and external use; this
includes financial and non-financial reporting.
• 3. Compliance: compliance with applicable laws and regulations.
• What is an Internal Control System: a continuous built in component
of operations, effected by people, that provides reasonable assurance,
not absolute assurance that an entity’s objectives will be achieved.
• How does all of this come together—the five components of Internal
Control, as established by the General Accountability Office (GAO).
GAO’s Standards for Internal Controls
• Recently revised: GAO revised their standards--aka the Green
Book--in 2014, which then became effective in 2016.
• Standards to guide agency’s operations: GAO established
these standards so that government agencies know what
internal control is (and isn’t), how it should work effectively
within agencies, how entities should use the Green Book and
identification of the five key components of internal control.
(The revised version highlights 17 principles within these 5
components.)
• Resource not just for federal entities: The Green Book may
also be used and adopted by state & local government
agencies, as well as non profits. Management can determine
how to appropriately apply the elements of within the Green
Book to their particular agencies’ needs.
Five Components of Internal Control
 Control Environment
Control environment: this is the foundation of any internal control system.
5 principles
1. Management demonstrates commitment to integrity and ethical values.
2. Management/oversight body oversees the entity’s internal control system.
3. Management establishes an organizational structure, assigns
responsibilities and delegates authority to achieve the agency’s mission
and objectives.
4. Management demonstrates a commitment to recruit, train and retain
competent people.
5. Management evaluates performance and holds individuals accountable for
their internal control responsibilities.

Management establishes the control environment and this is the system

under which employees will operate.
 Control Environment (cont.)
The Control Environment should ensure controls
are in
Monitor & Update
place, covering areas such as: the Control
• Hiring Practices Environment

• Training Programs
• Whistleblower Policies
• Code of Ethics
• Clear lines of responsibility and authority
• Grants/program administration
• Fiscal management and operations
 Control Environment (cont.)
The Control Environment should be documented. Types
of documentation that can be used are:
• Process narratives
• Organizational Charts
• Flowcharts
• Questionnaires
• Memorandums
• Checklists
• Etc.
 Risk assessment
Risk Assessment: identifying and assessing the potential risks facing
the agency, and developing the appropriate risk mitigation tools and
strategies to minimize risk occurrences.
4 Principles
1. Management defines agency objectives so that risks can be identified
and risk tolerance (or risk appetite) levels can be established.
2. Management identifies, analyzes and responds to risks related to the
agency achieving its mission and objectives.
3. Management considers the risk for potential fraud.
4. Management identifies, analyzes and responds to significant changes
that could impact the internal control system.
At all levels, management establishes the organizational priorities for
how it handles its risk assessment process.
 Risk assessment (Cont.)
Risk Assessment Categories to help identify and assess risks:
Strategic Risk—political risk, talent and succession planning risk, risk
from dependence on other organizations
Financial Risk—risk of audit findings and other things that would
undermine reporting integrity
Compliance Risk—fraud, theft, embezzlement and/or noncompliance with
regulations and requirements
Operational Risk—risk that Programs may fail to meet their objectives,
mishandle federal grant funds, natural disasters, lack of accessible
technology, etc.

Risk assessment is critical especially when agencies are facing constrained

resources because it allows for targeted and strategic use of available
resources.
 Risk assessment (Cont.)
Risk Assessment vs. Risk Management
Risk Assessment is an element of internal control within the risk
management process that allows management to identify and assess
key risks to achieving its objectives; this assessment forms the basis
upon which control activities are determined.
Risk Management is a process applied in a strategic manner across the
entity, that is designed to identify and manage risks to stay within a
risk appetite or risk tolerance level, to provide reasonable
assurance about achieving entity goals and objectives.
 Risk assessment (Cont.)
Once objective is established, apply these risk
assessment factors
Materiality of the amount of funds/dollars in question
Complexity or difficulty of the process
History of accounting or procedural (operational) adjustments
Propensity for change or deviations in the process or controls

This helps to assess the risk, the risk likelihood and potential
impact.
 Risk assessment (cont.)
Internal Risks
• Use of
qualitative/quantitative
methods
• Change in management
• Weak or unresponsive
tone set by leadership
• Human capital—quality
and/or quantity of
personnel
• Rapid growth or reduction
• Change in processes
External Risks
• Technological
advances
• Impact of program
changes
• Changing legislature
• Decentralized
organization operations
• Natural disasters
• Changing client or
constituent needs or
expectations
 Risk assessment (cont.)
Risk Strategies
 Control activities
Control Activities: actions management establishes through policies
and procedures to achieve objectives and respond to risks in the
internal control system, which includes the agency’s information
system.
3 Principles
1. Management designs control activities to achieve objectives and
respond to risks.
2. Management designs the entity’s information system and related
control activities to respond to risks.
3. Management implements control activities through written policies.

Control Activities should be established by management.

 Control activities (cont.)
Control Activities are the heart of the internal
control system.
Understanding the Types of internal control activities
• Preventive—these controls help management to avoid
problems before they occur. Prevent the occurrence of
negative events.
• Detective—these controls help to uncover issues after
they’ve occurred. Identify the occurrence of a negative event.
• Corrective—these controls detect if risk is present, and then
elicits a response and/or corrective action.
 Control Activities (cont.)
Examples of Control Activities
• Approvals and authorizations (Preventive)
• Reconciliations (Detective)
• Independent Reviews (Detective)
• Segregation of Duties (Preventive)
• Training (Preventive)
• Corrective Action Plan (Corrective)
• Monitoring (Corrective)
• Update/Implement SOPs (Corrective and/or Preventive)
• Asset Security (Preventive)
 Control Activities (cont.)
Manual vs. automated controls
Manual controls require action(s) to be taken by an employee;
automated controls are built into the network infrastructure
and software applications. Automated controls are always
preferable.
Manual controls:
•Obtain supervisor’s approval for Overtime
•Reconciliation of bank accounts
Automated controls:
•Password protections
•Data entry validation checks
 Control activities (cont.)
Compensating Control
• If a weakness or limitation exits within the control environment, a
compensating control may be implemented to help mitigate risk.
• Compensating controls can be preventive or detective.
• Potential compensating controls could be: automation of certain
transaction data and management review.
• Compensating controls are put in place when management knows the
recommended control activity is not possible with existing resources.
• Segregation of duties is a very important compensating control activity.
• Creates checks and balances within critical functions
• One person is not responsible for initiation and approval
• Fraud and error are major risks in payroll management
• Always establish segregation of duties in financial and operational
functions
 Information and communication
Information and Communication: high quality information that
management and personnel communicate and use to support the
internal control system.
3 Principles
1. Management should use quality information to achieve the agency’s
goals and objectives.
2. Management should internally communicate the necessary quality
information to achieve the entity’s objectives.
3. Management should externally communicate the necessary information
to achieve the agency’s mission and objectives.

Management establishes expectations regarding what a quality

information and communication system should look like, and staff
follows suit.
 Information and communication (Cont.)
Information employees and stakeholders need to know.
• Agency initiatives
• Goals
• Challenges
• Opportunities
• Feedback
• Questions
• Policies and Procedures
• Standards
• Expectations
• Incentives/Rewards
• Consequences for non compliance

Communication strategies have evolved in the era of social media. Agencies utilize
email, text messages, Twitter, Facebook, LinkedIn, apps, mail, phone, etc. to
communicate internally and externally.
 monitoring
Monitoring: activities management establishes to assess the quality of
performance over time and to promptly resolve management reviews or
audit findings. This helps to determine if controls are working as they
should.
2 Principles
1. Management establishes and operates monitoring activities to assess
the internal control system and evaluate results.
2. Management remediates identified internal control deficiencies in a
timely manner.

Management makes monitoring a priority and uses the results of

monitoring to improve and strengthen internal controls and agency
operations.
 Monitoring (cont.)
Monitoring activities help to determine whether internal
controls are present and functioning as intended.
Types of Evaluations
• Ongoing Evaluations
• Built into business practices
• Provide timely information
• Frequently conducted
• Separate Evaluations
• Conducted periodically
• Variation in scope and frequency

Evaluations can sometimes reveal deficiencies or findings. These

need to be addressed and rectified in a timely manner.
 Monitoring (cont.)
Monitoring/Validating Controls
Deficiency in Design
• A critical control is not properly designed and does not meet the
control objective, or is simply ineffective.
Deficiency in Operations
• A critical control is designed properly but does not perform in the
intended manner and is unable to address the identified risks.
Monitor frequently for effectiveness
• Review supporting documentation
• Review reconciliations
• Review policies and procedures and observe demonstrations to
ensure procedures are being followed properly
 Monitoring (cont.)
The Importance of supporting documentation
Documentation should always be maintained to determine SOPs and
protocols are being followed and authorized activities have
occurred.
Documentation must contain adequate information that:
• Identifies who performed the work and when
• Indicates the nature, timing, extent and results of the procedures
performed
• Enables understanding of the evidence obtained
• Supports the conclusions, activities and/or purchases that are made
 OMB Uniform Grant guidance
Part 200—Uniform Administrative Requirements, Cost Principles
and Audit Requirements for Federal Awards, §200.303 “Internal
Controls”
Non Federal Entities must execute the following (5) five actions:
• (a) establish and maintain effective internal control over the Federal
award that provides reasonable assurance that the non-Federal entity is
managing the Federal award in compliance with Federal statutes,
regulations, and the terms and conditions of the award. See the Green
Book and Internal Control Integrated Framework by COSO (Committee
of Sponsoring Organizations of the Treadway Commission).
• (b) Comply with Federal statutes, regulations, and the terms and
conditions of Federal awards.
• (c) Evaluate and monitor the non Federal entity’s compliance with
statute, regulations and terms of conditions of Federal awards.
 OMB Uniform Grant guidance (cont.)
Part 200—Uniform Administrative Requirements, Cost
Principles and Audit Requirements for Federal Awards,
§200.303 “Internal Controls”
Five actions cont.
• (d) Take prompt action when instances of non compliance are
identified including non compliance identified in audit findings.
• (e) Take reasonable measures to safeguard protected personally
identifiable information1.(PII).
Establish and implement an internal control system
TAKEAWAYS: that complies with laws and requirements.
2. Evaluate and monitor compliance with laws and
requirements.
3. Identify and communicate findings/deficiencies with
key stakeholders.
4. Develop and implement a corrective action plan
when deficiencies occur. Ensure CAP completion.
5. Implement procedures to protect important
information.
6. Look for ways to constantly improve internal control
system.
 Ed’s A-123 Internal control review process
• Internal Control Review Shift: in 2008, A-123 internal control reviews at
ED shifted from financial compliance audits to include the evaluation of the
internal operations of ED grant-making offices.
• Federal Managers Integrity Act (FMFIA): agencies must establish
internal control and financial systems that provide reasonable assurance
that the three objectives of internal control are achieved (effectiveness and
efficiency, compliance and reliable financial reporting). FMFIA requires
reporting of programs, financial reporting and financial management
systems.
• OMB Circular A-123 “Management’s Responsibility for Internal
Controls:” promulgates the FMFIA requirement and defines management’s
responsibility for implementing internal control within their agencies.
• Every year ED conducts A-123 internal control reviews. Operational
(programmatic/grants management) challenges are usually noted; controls
and corrective actions are implemented to address concerns.
• Training: employees take a mandatory annual Internal Control training to
fortify knowledge and understanding of requirements.
 Your agency’s internal control review process

• Every unit within your organization should have an established and

transparent internal control system, codified by SOPs. This includes:
property & procurement, budget, payroll, accounting office, human
resources, federal grants office, etc.
• Establish a system that allows for clear understanding of the entire
process from start to finish.
• Get staff invested and educated about what the internal control system
looks like within your agency.
 Internal controls and you
• Understand what internal control is and is not. There are requirements,
but make sure your work is aligned with those requirements and not adding
additional stress, burden or undue complexity.
• Management establishes the internal control system. Employees must
know and understand the internal control system, what their responsibilities
are and how their actions contribute to and effect the overall system and their
discreet duties.
• Standardize your process. Follow procedures and document operational
activities.
• Personal Ownership: Take responsibility for your role and communicate any
challenges or concerns to management.
• Group Effort: Everyone is responsible for implementing strong internal
controls in their every day work environment.
• Value: Create meaning and purpose in work, so that executing the process is
engrained in staff culture and is not viewed as burdensome or time
consuming.
 Internal controls and you (cont.)
Basic concepts to make Internal Controls work for you!
• Establish responsibility—know who is supposed to be doing what. Key
tasks need to be assigned to specific individual(s) and communicated
across the agency.
• Segregate Duties—maintain proper custody of assets, record
transactions, authorize transactions and reconcile transactions. Create a
checks and balance system to avoid theft, fraud or improprieties.
• Restrict Access—do not allow just anyone to have access to critical or
sensitive information. Access should be given only to those who need to
complete assigned duties.
• Document Procedures and Transactions—supporting documentation
is critical to every business practice and operational function. Always
retain documentation (electronic and manual).
• Independently Verify—corroborate information.
Implementing strong internal controls within your
agency
An Internal Control System is a Critical Component of Effective
Grants Management

1. Any organization that is awarded federal grant funds must build a

system of internal controls to effectively manage the grant funds it
receives.
2. A weak internal control system can lead to mismanagement of
federal grant funds.
3. Severe mismanagement can lead to serious problems, such as:
special conditions, restrictions on grants including: route
payments/disbursements, high risk designation, federal intervention
(including monitoring and/or Technical Assistance), etc.
4. Consider developing an Internal Audit division within your agency. If
your agency already has one, make sure it’s built up and operating
with fidelity.
 Implementing strong internal controls within youR
agency (cont.)
Build competence, understanding and sustainability.

Implement: don’t be
afraid to try new things,
experiment and
determine what works
Build capacity; best for your agency,
and continuously review
have the right
the processes
people at the table
implemented.
and invest in
training and
professional
development.
 Avoiding the pitfalls
What happens when things go wrong and the internal
control system fails?

1. Audit findings
2. Financial misstatements
3. Business or government losses
4. Federal Intervention
5. Criminal Investigations
6. Loss of public trust
7. Fraud or collusion
8. Program sustainability compromised
9. Reputational harm
10.Loss of funds
conclusion